Professional Documents
Culture Documents
SIEM For Beginners PDF
SIEM For Beginners PDF
www.alienvault.com
A:
We may think of Security Controls as containing all the information we need to be secure,
but often they only contain the things they have detected there is no before and after the event
context within them.
This context is usually vital to separate the false positive from true detection,
the actual attack from a merely misconfigured system.
Successful attacks on computer systems rarely look like real attacks except in hindsight
if this were not the case, we could automate ALL security defenses without ever needing to
employ human analysts.
Attackers will try to remove and falsify log entries to cover their tracks having a source of log
information that can be trusted is vital to any legal proceeding from computer misuse.
SIEM
External
Website 4.4.4.4
DMZ Firewall
10.90.0.1
Web Proxy
10.90.0.50
Router
BOBPC1
10.100.23.53
DAVEPC3
10.10123.18
Domain
Controller
DHCP Server
Antivirus
Controller
KNOWLEDGE:
Security Controls
Infrastructure Information
Intrusion Detection
Endpoint Security (Antivirus, etc)
Data Loss Prevention
VPN Concentrators
Web Filters
Honeypots
Firewalls
Infrastructure
Routers
Switches
Domain Controllers
Wireless Access Points
Application Servers
Databases
Intranet Applications
Configuration
Locations
Owners
Network Maps
Vulnerability Reports
Software Inventory
Business Information
Business Process Mappings
Points of Contact
Partner Information
Network Maps
Configuration
and Asset
Information
Business
Locations
System Logs
and Security
Controls Alerts
Business
Processes
SIEM
10.100.20.0/24
10.88.5.0/16
Pennsylvania
Boston
Accounts Receivable
Software
Inventory
10.100.20.0.18
Accounting IT
10.88.6.12
Software
Inventory
USSaleSyncAcct
10.100.20.0.18 Initiated Database Copy using credentials USSalesSyncAcct to remote Host 10.88.6.12 - Status Code 0x44F8
Behold:
The Power
of Correlation
Correlation is the process of matching events from systems (hosts,
network devices, security controls, anything that sends logs to the SIEM.)
Events from different sources can be combined and compared against
each other to identify patterns of behavior invisible to individual devices
They can also be matched against the information specific to your business.
Correlation allows you to automate detection for the things that
should not occur on your network.
Show [All Logs] From [All Devices] from the [last two
weeks], where the [username] is [Broberts]
This is what allows us to do automated correlation as well, matching fields
between log events, across time periods, across device types.
AlienVault USM
SECURITY
INTELLIGENCE
ASSET DISCOVERY
AV Labs Threat
Intelligence
BEHAVIORAL
MONITORING
VULNERABILITY
ASSESSMENT
Log Collection
Netflow Analysis
Service Availability Monitoring
THREAT DETECTION
Network, Host & Wireless IDS
File Integrity Monitoring
FEATURES
ALIENVAULT USM
TRADITIONAL SIEM
Log Management
Event Management
Event Correlation
Reporting
Asset Discovery
Network IDS
Host IDS
NetFlow
Vulnerability Assessment
Not Available
Not Available
www.alienvault.com